Using Information Security to Protect Critical National Infrastructure: Energy Sector is Hackers’ Biggest Target

Oil giant Chevron fends off as many as 500 hack attacks a week, a senior executive recently revealed. Separately an insider, who allegedly maliciously disabled an oil-leak detection system endangering the Southern California coastline, was indicted (see box-out).

Let’s not forget the unique challenges faced by upstream businesses. Many have a global reach and are operating within some of the most remote areas of the globe. In these remote areas, satellite is often the only available option. In other less remote areas, the companies have to partner with telecommunications vendors of an unknown quality.

It’s no wonder that security ‘insiders’ within America’s critical infrastructure industries, such as oil and gas, financial services, utilities, telecommunications and transport, believe that the nation’s energy complex is a bulls-eye for the bad guys.

When asked in a survey for Secure Computing which industry was the biggest target, which was the most vulnerable to attack and which was the most detrimental if breached, the insiders picked the energy sector in all three cases, with 33% saying it was the biggest target, 30% saying it was the most vulnerable and 42% saying it would be the most detrimental if attacked.

An Onslaught of Attacks

No doubt Chevron is not alone being battered by hackers but Peter Breunig, the company’s general manager, IT strategy, architecture, and technology, told the audience at the Microsoft Global Energy Forum in February that some weeks as many as 500 attempts are made.

The global giants of energy made security a priority in 2008 buoyed by high oil prices, according to a PriceWaterhouseCoopers survey. Respondents reported significant gains in implementing an overall security strategy (up to 67% from 59% in 2007); actively monitoring information security intelligence (to 59% from 46%); and investing in the capabilities that build employee security awareness - such as training programs (to 58% from 41%) and people dedicated to running them (to 58% from 45%).

This year may be a different story, ponders Ray Slocumb, a Houston-based PwC partner. “With oil prices hovering near $40 a barrel in January 2009, the temptation will exist for energy companies to cut spending. One of the first areas that are likely to be impacted by spending cuts is technology, and, by extension, efforts to bolster information security are at risk.”

While implementation of security procedures is moving forward, the PwC survey identified gaps in coverage that are probably caused by the sheer complexity of issues that the oil and gas industries face.

Multiple Challenges

Firstly there is the global reach of the major players and then there is the size of the companies combined with another layer of challenge: joint ventures, partnerships, contractors, and off shoring which are all common practices within the industry.

“Knowing who is accessing your data is critical,” says Slocumb. Yet the PwC survey revealed that while oil and gas companies have made advances in deploying centralized user data stores (up to 68% from 50% in 2007), less than half have reduced single sign-on software (44%) and automated account de-provisioning (32 %).

There are a host of companies that provide authentication software but Vopak, the world’s largest provider of tank terminals for oil and gas, chose a solution from Signify.

With more than 3 500 employees spread across the globe operating from different sites and often on the move, Vopak wanted to provide remote access but without compromising security. Simple password access was not an option.

Two-factor authentication (2FA) was essential to the solution, requiring two distinct proofs of identity before granting access, said Lambert Caljouw, the company’s enterprise architect.

Nowadays more than 500 Vopak employees have been issued with small RSA SecurID tokens from Signify – usually carried on a key ring - that produces a new unique one-time passcode every 60 seconds. By using this, along with their known username and secret PIN, Vopak staff can identify themselves and gain immediate access to authorized resources.

Because of its size and complexity, the oil and gas industry is awash with data, all of which is important but some of which is more important than others. For instance there is financial information, seismic data, customer information, project specific information, and chemical formulas.

All of this data needs to be protected in some manner; however, the level of protection should be driven by the company's data classification model. This approach helps reduce the company's overall spend by protecting only the data that is considered truly important.

SCADA Scare

The two types of systems used by oil and gas that have governments and infrastructure mavens most worried are process control systems and supervisory control and data acquisition (SCADA) systems.

To help ensure the increasing security of process control systems, the Department of Homeland Security this year formed a public/private working group to try and stop attacks affecting IT morphing into what it calls industrial control systems.

Federal government concern with the vulnerability of the oil industry’s SCADA systems goes back more than a decade.

In recent years, the integration of SCADA systems with corporate business systems to achieve operating efficiencies comes with the realization that the interconnectedness comes with more security risk.

At one time the risk might have been viewed as purely an industry issue, says John Lazarus, Symantec’s industry solutions manager. However, the federal government has become more actively involved. “The reason is simple: the SCADA systems that control essential infrastructures are vital to national security.”

Regulation Needed

That said, there is disappointment that while President Obama has already completed an extensive review of the country’s cybersecurity issues, one solution opined by the Center for Strategic and International Studies (CSIS) in its report Securing Cyberspace for the 44th President didn’t gain immediate traction.

The aforementioned solution was for the introduction of government regulation to secure both SCADA and industrial control systems. Michael Markulec, COO at Lumeta, faulted the Obama Administration for not taking up the recommendation. “The interconnected nature of our national infrastructure opens up new possibilities not just for stealing information, but also for wrecking real physical havoc, and the line that separates a nation's physical security from its cybersecurity has largely disappeared,” he says.

Brian Ahern, CEO of Industrial Defender, agrees that “implementing a sound cyber security strategy is absolutely vital toward protecting our nation’s resources and ultimately, ensuring citizen safety.”

He believes current regulatory compliance directives, such as the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP) and Chemical Facility Anti-Terrorism Standards (CFATS) mandates, have paved the way for improving critical infrastructure security protection – with the associated costs of these regulations being primarily absorbed by the private sector to date.

“These outdated legacy systems that protect our oil, gas, electric, water and power plants are all at risk simply because they were initially designed at a time when cybersecurity concerns were a non-issue,” he says.